MacMa
MacMa is a macOS-based backdoor with a large set of functionalities to control and exfiltrate files from a compromised computer. MacMa has been observed in the wild since November 2021.[1] MacMa shares command and control and unique libraries with MgBot and Nightdoor, indicating a relationship with the Daggerfly threat actor.[2]
Associated Software Descriptions
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1555 | .001 | 从密码存储中获取凭证: Keychain | |
| Enterprise | T1005 | 从本地系统获取数据 |
MacMa can collect then exfiltrate files from the compromised system.[1] |
|
| Enterprise | T1543 | .001 | 创建或修改系统进程: Launch Agent |
MacMa installs a |
| Enterprise | T1573 | 加密通道 |
MacMa has used TLS encryption to initialize a custom protocol for C2 communications.[1] |
|
| Enterprise | T1140 | 反混淆/解码文件或信息 |
MacMa decrypts a downloaded file using AES-128-EBC with a custom delta.[1] |
|
| Enterprise | T1059 | .004 | 命令与脚本解释器: Unix Shell |
MacMa can execute supplied shell commands and uses bash scripts to perform additional actions.[1][3] |
| Enterprise | T1113 | 屏幕捕获 |
MacMa has used Apple’s Core Graphic APIs, such as |
|
| Enterprise | T1074 | .001 | 数据分段: Local Data Staging |
MacMa has stored collected files locally before exfiltration.[3] |
| Enterprise | T1083 | 文件和目录发现 |
MacMa can search for a specific file on the compromised computer and can enumerate files in Desktop, Downloads, and Documents folders.[1] |
|
| Enterprise | T1106 | 本机API | ||
| Enterprise | T1070 | .002 | 移除指标: Clear Linux or Mac System Logs |
MacMa can clear possible malware traces such as application logs.[1] |
| .004 | 移除指标: File Deletion | |||
| .006 | 移除指标: Timestomp |
MacMa has the capability to create and modify file timestamps.[1] |
||
| Enterprise | T1082 | 系统信息发现 |
MacMa can collect information about a compromised computer, including: Hardware UUID, Mac serial number, macOS version, and disk sizes.[1] |
|
| Enterprise | T1033 | 系统所有者/用户发现 |
MacMa can collect the username from the compromised machine.[1] |
|
| Enterprise | T1016 | 系统网络配置发现 | ||
| Enterprise | T1105 | 输入工具传输 |
MacMa has downloaded additional files, including an exploit for used privilege escalation.[1][3] |
|
| Enterprise | T1056 | .001 | 输入捕获: Keylogging |
MacMa can use Core Graphics Event Taps to intercept user keystrokes from any text input field and saves them to text files. Text input fields include Spotlight, Finder, Safari, Mail, Messages, and other apps that have text fields for passwords.[3][4] |
| Enterprise | T1057 | 进程发现 | ||
| Enterprise | T1021 | 远程服务 | ||
| Enterprise | T1041 | 通过C2信道渗出 |
MacMa exfiltrates data from a supplied path over its C2 channel.[1] |
|
| Enterprise | T1095 | 非应用层协议 |
MacMa has used a custom JSON-based protocol for its C&C communications.[1] |
|
| Enterprise | T1571 | 非标准端口 | ||
| Enterprise | T1123 | 音频捕获 | ||
| Enterprise | T1553 | .001 | 颠覆信任控制: Gatekeeper Bypass |
MacMa has removed the |
| .002 | 颠覆信任控制: Code Signing |
MacMa has been delivered using ad hoc Apple Developer code signing certificates.[5] |
||
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G1034 | Daggerfly |
Daggerfly is linked to the use and potentially development of MacMa through overlapping command and control infrastructure and shared libraries with other unique tools.[2] |
References
- M.Léveillé, M., Cherepanov, A.. (2022, January 25). Watering hole deploys new macOS malware, DazzleSpy, in Asia. Retrieved May 6, 2022.
- Threat Hunter Team. (2024, July 23). Daggerfly: Espionage Group Makes Major Update to Toolset. Retrieved July 25, 2024.
- Wardle, P. (2021, November 11). OSX.CDDS (OSX.MacMa). Retrieved June 30, 2022.